kalshi-paper-trading Security Report — Trusted | ClawSafe

5 /100

kalshi-paper-trading

Kalshi-native paper trading ledger and CLI for binary prediction contracts. Use for paper opens, marks, reconciliation, valuation, and review without relying on the generic spot-style paper trader.

A clean, well-structured Kalshi paper trading ledger implemented in pure TypeScript using Node.js built-ins and node:sqlite, with no malicious indicators, no credential harvesting, no obfuscation, and declared network access to an official Kalshi API endpoint.

Skill Namekalshi-paper-trading

Duration30.3s

Enginepi

✓

Safe to install

Approve for use. The skill performs exactly as documented — paper trading ledger management with optional live market sync from api.elections.kalshi.com.

Findings 1 items

Severity	Finding	Location
Low	allowed-tools metadata not populated Doc Mismatch SKILL.md declares no allowed-tools mapping. The actual capabilities (network:READ to Kalshi API, filesystem:WRITE to local DB) are implied by command examples but not formally listed. This is a documentation hygiene issue with no security impact. `metadata: openclaw: { emoji, requires: { bins: [node] } }` → Add allowed-tools section to SKILL.md metadata: network:READ, filesystem:WRITE, database:WRITE, environment:READ	`SKILL.md:1`

Resource	Declared	Inferred	Status	Evidence
Filesystem	`NONE`	`WRITE`	✓ Aligned	scripts/kalshi_paper.ts:233 — stores SQLite DB to ~/.openclaw/
Network	`NONE`	`READ`	✓ Aligned	SKILL.md lines 51-55 — sync-market and buy-from-market commands fetch from api.e…
Database	`NONE`	`WRITE`	✓ Aligned	scripts/kalshi_paper.ts:233 — SQLite DatabaseSync for local ledger
Shell	`NONE`	`NONE`	—	No subprocess/spawn in scripts/kalshi_paper.ts — tests use spawn only
Environment	`NONE`	`READ`	✓ Aligned	scripts/kalshi_paper.ts:225 — reads optional KALSHI_BASE_URL env var
Skill Invoke	`NONE`	`NONE`	—	No cross-skill invocation
Clipboard	`NONE`	`NONE`	—	No clipboard access
Browser	`NONE`	`NONE`	—	No browser automation

2 findings

🔗

Medium External URL 外部 URL

https://docs.kalshi.com

SKILL.md:4

🔗

Medium External URL 外部 URL

https://api.elections.kalshi.com/trade-api/v2

scripts/kalshi_paper.ts:221

File Tree

4 files · 61.7 KB · 2146 lines

TypeScript 1f · 1274L Markdown 2f · 481L JavaScript 1f · 391L

├─ ▾ 📁 references

│ └─ 📝 kalshi-paper-ledger.md Markdown 370L · 7.9 KB

├─ ▾ 📁 scripts

│ └─ 📜 kalshi_paper.ts TypeScript 1274L · 38.5 KB

├─ ▾ 📁 tests

│ └─ 📜 kalshi_paper.test.mjs JavaScript 391L · 12.1 KB

└─ 📝 SKILL.md Markdown 111L · 3.1 KB

Dependencies 3 items

Package	Version	Source	Known Vulns	Notes
`node:sqlite`	`builtin`	node	No	Node.js built-in — no external package dependency
`node:fs`	`builtin`	node	No	Node.js built-in for SQLite DB directory creation
`node:crypto`	`builtin`	node	No	Node.js built-in for UUID generation

Security Positives

✓ Pure Node.js built-ins only (node:crypto, node:fs, node:sqlite, node:os, node:path) — zero external dependencies

✓ No credential harvesting — KALSHI_BASE_URL is an optional, named, documented override

✓ No sensitive path access (no ~/.ssh, ~/.aws, .env enumeration)

✓ No obfuscation — all code is plain TypeScript, no eval, no atob, no base64 execution

✓ No remote script execution (no curl|bash, no wget|sh)

✓ Local SQLite database scoped to ~/.openclaw/kalshi-paper.db — no system-wide writes

✓ Network calls limited to one official, hardcoded Kalshi API endpoint

✓ Append-only execution log with average-cost accounting — no speculative state mutation

✓ Comprehensive unit tests with in-process HTTP server mocking

Scan Report

Findings 1 items

File Tree

Dependencies 3 items

Security Positives